Secure requests to the management service can be authenticated by creating an Azure AD application and using the Active Directory Authentication Library to obtain an access token from the application. For more information about authentication using Azure AD, see Authentication Scenarios for Azure AD.

Do the following to add an application to Azure AD:

Sign in to the Azure Management Portal.

Towards the bottom of the left menu, click Active Directory, and then click Default Directory.

When you use the code listed above, you need to replace the following:

{tenantId} with the GUID of the application. To find the GUID, go to the Default Directory page in the Active Directory section of the Management Portal, select the application that you previously created, and then click View Endpoints.

Copy the GUID of the application and replace the placeholder with it.

{clientId} with the client identifier. To find the client identifier, go to the Configuration page of the application in the Management Portal.

{redirectUri} with the redirect Uri. To find the redirect Uri, go to the Configuration page of the application in the Management Portal.

Use the following line of code to assign the token that is returned from the GetAuthorizationHeader method shown above to a variable that can be used by the request:

Secure requests to the management service can be authenticated by using management certificates over SSL. To use a management certificate, it must be uploaded to Azure. After you add a management certificate to the subscription, you can sign the requests to the service by using the certificate. For information about creating management certificates and associating them with a subscription, see Create and Upload a Management Certificate for Azure.

When designing an application, keep the following points about management certificates in mind:

The Service Management API does not verify that a certificate is still valid. Authentication will succeed against an expired certificate.

All management certificates carry the same set of privileges. There is no notion of “role-based” authentication where one management certificate can be configured in one role and another on the same subscription is configured in a different role.

The following example shows how the retrieve the management certificate using the System.Net and System.Security.Cryptography.X509Certificates libraries: